Offering · Compliance

The CRA has a date.
Your readiness should too.

The EU Cyber Resilience Act applies to virtually every connected product on the EU market. The obligations are concrete, dated, and closer than most roadmaps assume. ROSA's answer: compliance evidence generated by the foundation, not assembled by hand before every audit.

Check where you stand How an engagement starts

The deadlines

Two dates every connected-product manufacturer should know.

11 September 2026

Reporting obligations apply

Actively exploited vulnerabilities and severe incidents must be reported, with a 24-hour early warning to ENISA and your CSIRT. That presupposes you know what's in your firmware and whether it's affected. Without a current SBOM and CVE watch, you can't even start the clock.

11 December 2027

Main obligations apply

Security by design, vulnerability handling processes, secure update capability, and technical documentation, for the product's whole support life. Products designed in 2026 will ship into this regime. The foundation you choose now decides how expensive this becomes.

Regulation (EU) 2024/2847, in force. Dates per the regulation's application schedule.

The approach

Evidence generated by the foundation. Not assembled before audits.

Every CRA requirement maps to something ROSA produces as a by-product of normal development, visible in Atelier, exportable per release.

A live SBOM, per build

Generated by the build pipeline for every release, never maintained by hand, so never stale.

CVE watch with recorded handling

Vulnerability records matched against your actual SBOM. Every finding carries a state, an owner, and a handling note, and that record is your CRA vulnerability-handling evidence.

Updateability, built in

Secure OTA with rollback is a ROSA Foundation capability, not a per-product project. "Can you patch the field?" has a standing answer.

Evidence packs, per release

Test results, SBOM snapshot, and findings status, exportable as one package when someone asks. And someone will ask.

ROSA Atelier, CRA track with CVE findings, SBOM and evidence packs

The CRA track in ROSA Atelier: findings against the live SBOM, handling states with owners, evidence packs per release.

What we promise, precisely

Evidence readiness. Not certification.

4Rooks does not certify your product, and you should be suspicious of anyone who claims their platform makes you "CRA compliant" by installation. Compliance is a property of your product and your processes.

What a foundation can do is make the evidence exist, stay current, and cost nothing extra to produce, so that when obligations, auditors, or customers ask, the answer is an export, not a quarter of engineering time.

Start small: the CRA readiness check

Two days, fixed price, on your portfolio: where you stand against the dated obligations, which gaps matter, and a prioritized plan to close them, whether or not ROSA is part of the answer.

Book the readiness check →

September 2026 is not far away.

A 45-minute call tells you whether you have a CRA problem, and how big. Free, no sales deck.

Talk to us →